The purpose of risk management is to support the realisation of Atria’s strategy and the achievement of objectives as well as the development of the organisation in the business environment defined in Atria’s strategy. Risk management also aims to prevent adverse events and protect business continuity.
Atria defines risk as the effect of uncertainty on the company’s objectives. Risks can cause positive or negative deviations from the objectives. For reporting purposes, Atria’s risks are divided into four categories: strategic risks, operational risks, hazard risks and financial risks. Risks may be caused by events within Atria or external conditions or events.
Risk management is guided by the Risk Management Policy approved by the Board of Directors and, where applicable, by the ISO 31000 and ISO 31010 standards. The Risk Management Policy specifies Atria’s risk management goals, responsibilities and powers, together with the principles of risk assessment and reporting. More detailed instructions on risk assessment and reporting practices are presented in Atria’s Risk Management Process Guide.
Risk management is part of Atria’s day-to-day business and helps to make decisions that take into account the impact of uncertainty on operations. At Atria Group, risk management is based on a uniform model for risk identification, assessment and reporting and forms an integral part of the annual planning process. Risk-related communications are carried out in accordance with the Group’s communications plan. Risks are managed in accordance with the specified approved principles in all business areas and Group operations.
The Board of Directors approves the Risk Management Policy and any changes to it and supervises the implementation of the principles specified in the policy. The Group’s CEO is responsible for the appropriate organisation of risk management at Atria, and the CFO sees to the development of risk management and the risk reporting framework.
The members of the Group’s Management Team are responsible for identifying and assessing strategic risks and for implementing risk management in their respective areas of responsibility. The management teams of the business areas are responsible for identifying and assessing operational risks and for implementing risk management in their business areas. The Group’s Treasury Committee is responsible for identifying and assessing financial risks and for implementing risk management throughout the Group.
When preparing an annual plan for internal audit, key observations from the risk assessments made as part of the Group’s planning process are taken into account. Every Atria employee is responsible for identifying and assessing risks associated with their work and any other risks that they encounter, and for drawing attention to and preventing such risks.
Major risks and uncertainties that the Board of Directors is aware of are discussed in more detail in the Report by the Board of Directors under “Risk management at Atria”.